What the Efail Vulnerability Should Teach Us About Trust

﻿Trust in the information we consume is low and getting lower. It’s time to do better. Sharing data has become such an integral element of our lives−both business and personal−that we can no longer postpone a drastic rethinking of how we protect and control the use of our data.

Efail: A Case in Point

The revelation that common encryption tools for protecting emails contain exploitable bugs shocked the security community and privacy-conscious individuals. But the real danger of Efail isn’t the theft of messages. It’s the further erosion of consumer trust – trust that has diminished significantly over the past few years.

Today’s economy runs on data. In the same way we need the majority of people to trust our financial and electrical networks, we need them to trust the global network of data-driven relationships that exists between individuals and enterprises.

Is ditching encrypted email the answer? No. If your house burns down, you don’t stop living in houses; you improve home fire safety practices. Simply purchasing new tools or solutions isn’t the answer either. The answer lies in shifting the focus from network-centric security to data-centric security and reframing the discussion accordingly.

Protecting What’s Important

Companies fall into the trap of believing that another purchase and another security implementation is their best chance to secure their businesses. The buy-more, bolt-on mindset has to change. We need to focus on protecting the true target of security exploits: the actual data. We need to apply design thinking to security in the same way we apply it to user interfaces and customer experiences−by putting aside what we think we know and focusing instead on human-centered solutions.

Applying a design thinking approach to data-centric security will require changes that extend beyond our SOC personnel and security administrators, analysts, and experts. We need to enlarge our circles of trust to include all stakeholders – security teams, developers, and end users – both inside and outside our organizations.

The Yin Yang Between Developers and Users

Security professionals acknowledge that users will find ways around security they find hard to use. We know security needs to be intuitive to be effective. But our efforts so far are generally aimed at the generic end user, whose needs are mostly limited to accessing certain systems. That view is too limited.

We also need to think about security from the perspective of the developers and engineers who write and manage the code we’re constantly trying to defend. This cohort works under tight deadlines to produce software that “works,” with the goal of growing users and achieving product-market fit. Security is usually an afterthought for them.

Developers aren’t suddenly going to become security experts, but we can give them easy ways to build gold-standard security into their work on the fly. We can give them a foundational, unified security framework−but only if we are willing to come together to craft a better forward-looking approach.

An Open, Community-Driven Approach to Data-Centric Security

Our adversaries are many and diverse. No single approach or solution will stop them. We need input from security professionals with different areas of expertise to agree on a common set of principles that enable data-centric security. Broadly, this approach should enable ubiquitous adoption, consistently secure implementation, and persistent protection across systems.

Ubiquitous Adoption

If your data and systems are secure but your partners’ are not, then your business assets are vulnerable. Therefore, security needs be to be interoperable across platforms, without creating additional steps or complexity for developers, administrators, or users.

The people using these systems need to be able to share data easily and securely. A sender should be able to send an encrypted message to a recipient with whom no existing trust relationship or application infrastructure is shared, and neither party should have to perform complex technical steps in the process. The UX between systems needs to be seamless for all participants.

A seamless UX causes minimal friction. No one wants another password to manage or application to install. A smooth experience should leverage existing accounts and applications instead of new usernames or passwords. Users should not have to install specialized new software to secure crucial information.

With interoperability, seamless user experience, and minimal friction, ubiquitous adoption is within reach. These conditions eliminate the tradeoffs and inconveniences that prevent widespread adoption. By making security much easier to use, data-centric security becomes more prevalent.

Consistently Secure Implementation

Security protocols and standards need to be easy to interpret and contain built-in integrity. For instance, efail revealed that PGP and S/MIME do not mandate integrity checks at each step throughout encrypted message workflows. Why not? It doesn’t make sense to allow compromised messages to be rendered. Strong policies should use intuitive policy language thatmakes all security choices comprehensible. Integrity should be built into those policies to make suboptimal security implementations impossible.

We need to transform developers and engineers into our front line forces. Right now, they build the apps, and the security community protects the apps. Instead, we can de-silosecurity by giving developers libraries they can use to easily incorporate security best practices during the development process.

To make that happen, we need to shrink-wrap best practices. Developers should have “security development kits,” akin to the SDKs they are already familiar with, that provide the tools needed to build secure applications from the ground up.

This enables consistently secure deployments that promote a virtuous cycle: end users trust the applications they use because the app developers built them with security best practices that shield end users’ data.

Persistent Protection Across Systems

We’ve become accustomed to treating data as the property of the businesses that collect it, but consumers won’t let that go on indefinitely. Even people who don’t pay attention to technology are becoming aware that corporations are making a lot of money off the data they create. We in the security community would be smart to get ahead of the curve on this by recognizing the creators of data are its true owners and have default rights to its disposition.

To serve data owners, we need to give them visibility into who is using their data, and then we need to provide dynamic controls that enable them to revoke access to it, correct it, decide whether it can be forwarded, and otherwise assert their rights over it.

With defaults rights and controls that ensure data is protected wherever their data travels, data owners will trust enterprises to handle their data in a transparent, responsible manner.

A Framework for the Future

Only when we have a unified framework that incorporates these core principles will we be able to restore trust in the data we create, store, and share. We can say, “Let’s fix email,” but that’s a short-sighted approach. Instead, we should say, “Let’s fix a broader, more systemic issue than email. Let’s fix people’s confidence in how their data is treated.”

The principles laid out here will ultimately let people control their data way beyond email and build trust in how enterprises use consumer data. The security community needs to conduct an open, community-driven process to discuss these principles and determine what data control looks like in the real world.

Of course, this won’t happen overnight. That’s all the more reason to get started now.